PROFESSIONALCOMMUNITY

Spoofing your IP address using Burp Proxy match and replace

  • Last updated: May 17, 2022

  • Read time: 3 Minutes

Burp Proxy allows you to configure match and replace rules that automatically modify your requests and responses while you explore the target application as normal using Burp's browser. This enables you to add, remove, or modify headers in requests or responses, for example.

There are a number of uses for this, including potentially spoofing your IP address. In some cases, this may allow you to trick a server into believing that you belong to its local network, which could enable you to communicate with internal infrastructure that is otherwise inaccessible.

In this tutorial you'll learn how to:

  • Set match and replace rules in Burp Suite.
  • Use match and replace rules to add a header to your requests.
  • Spoof your IP address to compromise a vulnerable server that uses a form of IP-based authentication.

Note

Burp's browser is an easy way to proxy HTTP traffic - even over the encrypted HTTPS protocol. There is no setup required - simply go to the Proxy tab, click Open Browser, and ensure Intercept is off.

Step 1: Open the lab

Open Burp's browser and access the following lab:

https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-authentication-bypass

Step 2: Attempt to access the admin panel

Try to access the admin panel at /admin.

Note that you are prevented from doing so as this is only accessible to local users.

A Web Security Admin page which you are unable to access

For simplicity, let's assume that you've subsequently identified that the server is using a custom HTTP header, X-Custom-IP-Authorization, to determine your IP address.

Note

In the wild, the de-facto standard header X-Forwarded-For is often used for this purpose, but you may encounter websites that use different custom headers. These are normally applied to your requests by an intermediary server, such as a load balancer or other reverse proxy belonging to a CDN, for example.

Step 3: Add a custom match and replace rule

In Burp Suite, go to the Proxy > Options tab.

Under Match and Replace, click Add.

Leave the Match field empty. This ensures that Burp will append a new header to requests rather than replacing an existing one.

In the Replace field, enter the following:

X-Custom-IP-Authorization: 127.0.0.1

Click OK.

Burp Proxy will now add this header to every request you make in Burp's browser.

Adding a custom match and replace rule in Burp Proxy to spoof your IP address

Step 4: Try to access the admin panel again

In Burp's browser, try browsing to /admin again. Observe that you can now access the admin page and delete Carlos to solve the lab.

Deleting Carlos from the admin panel

In Burp, you can confirm that the header was added to your requests by checking them in the Logger tab:

Viewing the automatically modified request in the Logger tab

Alternatively, on the Proxy > HTTP history tab, you can use the drop-down menu to toggle between the original request that was sent by the browser, and the modified one that Burp Proxy forwarded to the server.

Viewing the automatically modified request in the HTTP history tab

Note

Although we've manually added a custom header in this case, Burp Suite provides a number of built-in match and replace rules to cover some of the most common use cases. You just need to enable them under Proxy > Options > Match and replace.

Summary and next steps

Congratulations - now you know how to use Burp Proxy's match and replace rules, and have used them to spoof your IP address.

To learn how you could have discovered the custom header we used to solve the lab, check out the learning materials on the Web Security Academy.

For more general information on authentication, as well as other types of attack you can carry out using Burp Suite, see the Authentication topic in the Web Security Academy.